Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 3833 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there an OID in Sophos that displays packets or attacks dropped based on country? I'd like to plug this into Grafana's World Map plugin?

Cyber Army

So I am building a Dashboard, I will be using the OID's to plug the data into the UI using snmp.

I have downloaded the MIB file from the UTM Management Central. Have used a OID viewer and to get OID's, and there are tons... 

I was wondering if there are OID's that shows the number of attacks, and attacks dropped, etc.. especially like the one shown in the graphs above.. based on the country.. I could plug that data into the dashboard's world map plugin.

I will be using Grafana and Telegraf. They have a world Map plugin where u can plug your data. I just need to know if there are OID's that can show this? Most of my previous noob posts have gone unanswered, well I hope I can get some response.



This thread was automatically locked due to age.
Parents
  • 0

    The first step is to enable Country Blocking, even if you do not intend to block any countries.   This will cause country="name" clauses to be added to every entry in the webfilter log and packetfilter log.   I do not believe country clauses will appear in any other log files because the country blocking only occurs in these modules.   

    This means that all blocked traffic will be logged, but allowed non-web traffic may not be logged.   Firewall Rules can be added to log all allowed traffic, if the traffic is handled by the Firewall Rules.  However, if the packet is not blocked by a Country Blocking rule, then it may be passed to another module, such as WAF or SNMP.    That traffic will not be logged by packetfilter at all, and the module that handles it may block or allow but the log entry will not be tied to country.

    There was a bug related to Country Blocking with Web Filtering when AD SSO was enabled.  This was fixed in 9.510.   In prior versions, the Country assignment was inconsistent:  one FQDN-IP pair could get different country assignments at different times, and an excessive number of FQDN-IP pairs would get country unknown.

    That is what I know about the raw data.   Parsing it is left up to you or your SEIM tools.

  • 0 in reply to DouglasFoster

    I see country= in the Web Filtering log, but not in any other logs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML